NZa created WW-4469:
-----------------------
Summary: Avoid sending Struts text in HTTP Response Headers
Key: WW-4469
URL: https://issues.apache.org/jira/browse/WW-4469
Project: Struts 2
Issue Type: Improvement
Affects Versions: 2.3.20
Environment: Ubuntu 14.04 LST Server x64, JDK 8_31
Reporter: NZa
In ticket WW-4085 a default-action-ref name was introduces which works fine in
order to avoid messages like "There is no Action mapped for namespace
[/config-browser] and action name [] associated with context path
[/struts2-javatemplate].":
{code:xml}
<package name="/" extends="struts-default">
<default-action-ref name="HelloWorld" />
<action name="HelloWorld">
<result type="redirectAction">
<param name="actionName">HelloWorld</param>
<param name="namespace">example</param>
</result>
</action>
</package>
{code}
It is possible to also get messages like this:
There is no Action mapped for namespace [/references/asdasd] and action name
[asdasd] associated with context path [].
Assuming we have the following configuration (this is in our example the one
and only package):
{code:xml}
<package name="root" extends="struts-default" namespace="/">
<default-action-ref name="HelloWorld" />
<action name="HelloWorld">
<result type="redirectAction">
<param name="actionName">HelloWorld</param>
<param name="namespace">example</param>
</result>
</action>
</package>
{code}
Case 1: http://localhost:8080/asdasd
This works as expected, our default-action-ref "HelloWorld" is called.
Case 2: http://localhost:8080/asdasd/asdasdasd
This works as expected, our default-action-ref "HelloWorld" is called.
Case 3: http://localhost:8080/asdasd/asdasdasd/asdasd and so on
Like Case 2...
Case 2 and 3 will have a HTTP 404 response with the Struts error message.
I believe it is a good idea to have something that is called by the Dispatcher
in case namespace + action is not found.
Improvement 1:
Don't write typical Struts messages like "There is no Action mapped for
namespace [/references/asdasd] and action name [asdasd] associated with context
path []." into HTTP Header response fields if in PROD mode (it allows hackers
to assume that the server is based on Struts, obfuscation is better...)
Improvement 2:
Allow maybe something like <default-not-found-action-ref name="Http404" />
similar to ticket WW-4085 to be in sync.
I believe that the current workaround is something like this (which should also
be documented better):
{code:xml}
<struts>
<unknown-handler-stack>
<unknown-handler-ref name="MyUnknownHandler1" />
<unknown-handler-ref name="MyUnknownHandler2" />
</unknown-handler-stack>
</struts>
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
